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Abstract 

We study the complexity of some fundamental operations for triangular sets in 
dimension zero. Using Las- Vegas algorithms, we prove that one can perform such 
operations as change of order, equiprojectable decomposition, or quasi-inverse compu- 
tation with a cost that is essentially that of modular composition. Over an abstract 
field, this leads to a subquadratic cost (with respect to the degree of the underlying 
algebraic set). Over a finite field, in a boolean RAM model, we obtain a quasi-linear 
running time using Kedlaya and Umans' algorithm for modular composition. 

Conversely, we also show how to reduce the problem of modular composition to 
change of order for triangular sets, so that all these problems are essentially equivalent. 

Our algorithms are implemented in Maple; we present some experimental results. 

1 Introduction 

Triangular sets (in dimension zero, in this paper) are families of polynomials with a simple 
triangular structure, which turns out to be well adapted to solve many problems for systems 
of polynomial equations. As a result, there is now a vast literature dedicated to algorithms 
with triangular sets, their generalization to regular chains, and applications: without being 
exhaustive, we refer the reader to [22 H |32l EHl EH EH] • 

However, from the algorithmic point of view, many questions remain. Despite a growing 
amount of work |3T1 |28l |8], the complexity of many basic operations with triangular sets 
(such as set-theoretic operations on their zero-sets, change of variable order, or arithmetic 
operations modulo a triangular set) remains imperfectly understood. 

The aim of this paper is to answer some of these questions, by describing fast algorithms 
for several operations with triangular sets, extending our previous results from |3l]. In 
particular, we will focus on the relationship between these problems and some classical 
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operations on univariate and bivariate polynomials, called modular composition and power 
projection. To describe these issues with more details, we need a few definitions. 



1.1 Basic definitions 

Triangular sets. Let K be our base field, and let X = Xi, . . . , X„ be indeterminates over 
K; we order them as Xi < ■ ■ ■ < X^. A (monic) triangular set T = (Ti, . . . ,T„), for this 
variable order, is a family of polynomials in K[X] with the following triangular structure 

Tn{Xi, . . . , Xn) 

Ti(Xi), 

and such that for all i, Ti is monic in Xi and reduced modulo (Ti, . . . , Tj_i), in the sense that 
deg(Tj,Xj) < deg{Tj, Xj) for j < i; in particular, T is a zero-dimensional Grobner basis for 
the lexicographic order induced by Xi < ■ ■ ■ < X„. In all that follows, we will impose the 
condition that K is a perfect field; often, we will also require that (T) is a radical ideal. 

We write di = deg(Tj,Xj); d = [di, . . . ,dn) will be called the multidegree of T. Define 
further /2t = 1K[X]/ (T). Then, 5t^ = di - ■ ■ dn is the natural complexity measure associated 
to computations modulo (T), as it represents the dimension of the residue class ring i?T 
over K. This integer will be called the degree of T. 

In all our algorithms, elements of i?T are represented on the monomial basis i?T = 
{Xl^ ■ ■ ■ X^" I < Oj < (ij for all i}. Dually, all K-linear forms K are represented by 

their values on the basis -Bt- 



Equiprojectable sets. Not every zero-dimensional radical ideal / in ]K[X] admits a tri- 
angular set of generators: this is the case only when the zero-set V = V{I) C K possesses a 
geometric property called equiprojectability For the moment, we will simply give an idea 
of the definition; proper definitions are in Section 111 

— n— 1 

Roughly speaking, V is equiprojectable if all fibers of the projection V K have 
the same cardinality, and similarly for the further projections to IK , . . . , K. For instance, 
of the following pictures, the left-hand one describes an equiprojectable set, whereas the 
right-hand one does not (since the rightmost fiber has a larger cardinality than the others). 



^2 



X2 



Xi 
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The relationship with triangular representations is described in [Ij: V is equiprojectable 
if and only if its defining ideal / is generated by a triangular set (for this equivalence, it is 
required that the base field be perfect). 



Equiprojectable decomposition. Any finite set can be decomposed, in general not 
uniquely, into a finite union of pairwise disjoint equiprojectable sets. At the level of ide- 
als, this amounts to write a zero-dimensional radical ideal / as / = (T^^^) fl ■ ■ ■ fl (T*^*^), with 
all T^-'^ being triangular sets and all ideals (T'^-'^) being pairwise coprime. Of course, starting 
from / in ]K[X], we want all T'^-'^ to have coefficients in IK as well. 

To solve the non-uniqueness issue, the decomposition of I into an intersection of maximal 
ideals may appear as a good candidate; however, it suffers from significant drawbacks. For 
instance, computing it requires us to factor polynomials over K, or extensions of it: even if 
we strengthen our model by requiring that K and its finite extensions support this operation, 
it is usually prohibitively costly. 

There exists another canonical way to find such a decomposition, called the equiprojectable 
decomposition [15]. For instance, among its useful properties is the fact that it behaves well 
under specialization: if IK is the fraction field of a ring A such as A = k[Zi, . . . , Zr] or A = Z 
and m is a maximal ideal of A, the equiprojectable decomposition of (/ mod m) coincides with 
the equiprojectable decomposition of /, reduced modulo m, for "most" maximal ideals m. We 
refer to [13] for more precise statements; here, we simply point out that this property makes 
it for instance possible to apply modular methods, such as Hensel lifting techniques [371 EH] , 
to recover the equiprojectable decomposition of / starting from that of (Jmodm); the 
decomposition of / into maximal ideals does not have this useful specialization property. 

While the definition of the equiprojectable decomposition is technical, the idea is simple. 
We will proceed geometrically: to obtain the equiprojectable decomposition of a finite set 
y C K , we first split it using the cardinality of the fibers of the projection IK — >■ IK 
Then we apply the same process to all the components we obtained, using the projection to 
K"^ ^, and so on (again, we refer the reader to Section [ijfor precise definitions). The following 
picture (from [15]) shows the equiprojectable decomposition of the non-equiprojectable set 
V of the former example. 




Each component of the equiprojectable decomposition is an equiprojectable set. As a 
result, this construction allows us to represent an arbitrary finite set V, defined over IK, by 
means of a canonical family of triangular sets with coefficients in K, that depends only on 



3 



the order < we have chosen on the variables. The collection of these triangular sets will thus 
be denoted by ^(V, <). 



1.2 Our contribution 

Our purpose is to give algorithms for various operations involving a triangular set, or a family 
thereof. We will make these questions more precise below; for the moment, one should 
have in mind problems such as modular arithmetic, computation of the equiprojectable 
decomposition, or change of order on the variables. 



Two central problems. The following two problems, called modular composition and 
power projection, will be at the heart of our algorithms. Given a triangular set T in 
K[Xi, . . . , X„], the general forms of these questions are the following. 

• modular composition: given F in K[Yi, . . . , y^], with deg{F,Yi) < fi for all i, and 
(Gi, . . . , Gm) in Klr^, compute F{Gi, . . . , Gm) G Rt 

• power projection: given a linear form i : — )• K, (Gi, . . . , Gm) in Rl^ and bounds 
/i, . . . , fm, compute i{Gl^ ■ ■ ■ G^), for all ci < /i, . . . , < fm- 

In both cases, we will write f = (/i, . . . , /„,) and (5f = /i ■ ■ ■ fm, so that the size of the problem 
is characterized by 6f and 6t- We will call {m,n) the parameters for these questions, and 
max((5f, 6t) the size. When T and Gi, . . . , Gm are fixed, the two problems become linear in 
respectively F and i; as it turns out, they are dual problems, as was observed by Shoup for 
m = n = 1 

The only cases we will need actually have parameters {m,n) in {1,2}. Besides, we will 
always suppose that Sf < 6t, so that all costs can be measured in terms of St only. However, 
even in this simple situation, these questions have resisted many attempts. 

As of now, no quasi-linear time algorithm is known in an algebraic complexity model 
(say using an algebraic RAM, counting field operations at unit cost). Among the best 
results known to us is that both operations can be done in time 0(6!^^^^^'^), where u is 
such that matrices over IK of size n can be multiplied in time 0{n^); we assume u > 2, 
otherwise logarithmic terms may appear. Using the exponent u < 2.38 from [13], this gives 
the subquadratic estimate 0{6^^^). 

For (m, n) = (1, 1), this claim follows from respectively Brent and Kung's modular compo- 
sition algorithm [lOj and Shoup's power projection algorithm [39j, which is actually the trans- 
pose of Brent and Kung's. For power projection, extensions to parameters (m, n) = (1, 2) are 
in [iniESllS], and the case {m,n) = (2, 2) is partially dealt with in [33]. For completeness, in 
Section 2. If we will give straightforward extensions of the Brent-Kung and Shoup algorithms 



to all cases (m,n) e {1,2}, establishing the bound 0{S!^^^''^'^) claimed above. 

We will thus write C : N — >■ N to denote a function such that over any field, one can do 
both modular composition and power projection in C(5x) base field operations, under the 
assumptions that the parameters (m, n) are in {1,2} and 6{ < 6^. We take C super-hnear. 
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in the sense that we require that C{di + ^2) > C((ii) + €((^2) holds for all di,d2- Then, the 
former discussion shows that we can take C(d) E 0{d^^^^^^'^) C 0{d^'^^). 

Some further restrictions are imposed on the function C. As is now customary, we let M : 
N — 7- N be such that over any ring, polynomials of degree less than d can be multiplied in M{d) 
base ring operations; we make the standard superlinearity assumptions of [18^ Chapter 8]. 
Using Cantor and Kaltofen's algorithm [12], we can take M{d) in 0{dlog{d) loglog((i)). Then, 
to simplify several estimates, we also make the reasonable assumption that M{d) log{d) is in 
0{C(d)); this is the case for M{d) quasi-linear and C{d) = c?'^'^"'"^)/^. 

The Kedlaya-Umans algorithm and its applications. In a boolean model (using a 
boolean RAM, with logarithmic cost for data access), and for K = F^, it turns out that 
one can do much better than in the algebraic model for modular composition and power 
projection. 

The best known result comes from Kedlaya and Umans' work [26j: for n = 1, they show 
how to solve both problems in 5}j^'^ \og{qy~^°^^^ bit operations, for all e > 0. Their algorithm 
uses modular techniques (transferring the problem over ¥q to a problem over Z, and vice 
versa), and the idea does not seem to extend easily to an arbitrary base field. In [34j, we 
described an extension of this result to any parameters (m, n) G {1,2}, with a running time 
of 6}^^ 0~ (\og{q)) bit operations for any e > 0; the 0~ notation indicates the omission of 
polylogarithmic factors of the form loglog(g)'^'-^''. 

In this paper, we will be interested in both models, algebraic and boolean. Now, for 
a given algorithm, the cost analysis in the boolean model differs from the analysis in the 
algebraic model (where we only count base field operations) by a few aspects. A minor issue 
is that we should count the cost of fetching data (which grows like log(a), to access the 
contents at address a). Another difference is that in the boolean model, we need to take 
into account the boolean cost of operations in F^: disregarding the cost of fetching data, any 
arithmetic operations in ¥q can be done in 0~(log(g)) bit operations, say log(g) loglog(g)'^ 
for some fixed k > 0. 

As a result, in what follows, in all rigor, we should prove most statements twice, once 
in the algebraic complexity model and once in the boolean one. To avoid making the paper 
excessively heavy, we will indeed state our main results twice, but all intermediate results and 
proofs will be given for the algebraic model. There would actually be no major difference in 
the boolean model, only some extra bookkeeping, on the basis of the remarks in the previous 
paragraph. 

Similarly to the algebraic case, Cbooi will thus denote a function such that one can do 
both modular composition and power projection over ¥q using Cbooi(5T, q) bit operations, 
assuming that the parameters {m,n) are in {1,2} and that 6f < 6t- As before, we require 
that Cbooi(c?i + d2,q) > C]^ooi{di,q) + Cbooi('^2,?) holds for all di,d2,q. As in the algebraic 
case, we will also assume that the cost of polynomial multiplication and related operations 
can be absorbed into Cbooh explicitly, we require that for any function f{d) G 0~{d), the 
function f{d) log(g) loglog(g)'' is in 0(Cbooi(c^5 <l)), where k is the constant introduced above. 
The results of [3l] imply that we can take CbooKc^, q) in d^^^O~(\og{q)) for any e > 0. 
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Main results. The questions we will consider are the following set-theoretic operations. In 
all the following items, all triangular sets are supposed to generate zero- dimensional radical 
ideals. 

Pi. Given triangular sets T^^), . . . , and S^^), . . . , S^'') in K[Xi, . . . , X„], for a variable 
order <, and given a target variable order <', compute the equiprojectable decompo- 
sition 

^(l^(T«) U ■ ■ ■ U V{T^'^) - y(S(^)) K(S(^)), <' ). 

We let 6i be the sum of the degrees of T^^), . . . , and S^^), . . . , S^'^). 

P2. Given a triangular set T in K[Xi, . . . , for a variable order <, as well as F in i?x 
and a target variable order <', compute the equiprojectable decompositions 

^{V{T)r\V{F),<') and ^{V{T) - V{F), <'); 

for every T' in ^{V{T) — V{F), <'), compute also the inverse of F in i?x'- (Note 
that even if F is only defined modulo (T), the two sets above are actually defined 
unambiguously.) In this case, we let 62 be the degree of T. 

These questions are general enough to allow us to solve a variety of classical problems for 
triangular sets. When the initial and target orders are the same, and when r = 0, the first 
question amounts to compute the equiprojectable decomposition of a family of triangular 
sets, which is a key subroutine in the algorithms of |15]. When the initial and target orders 
are different, taking only a single triangular set T as input, the first question allows us to 
perform a change of order on T, and to output a canonical family of triangular sets for the 
target order. Taking the same order for input and output, the second operation allows us 
to compute the quasi-inverse of a polynomial F modulo (T), which amounts to split V^(T) 
into its components where F vanishes, resp. is invertible. This is an important subroutine 
for triangular decomposition algorithms |28j . 

With that being said, our first main results are the following: 

Theorem 1. In an algebraic RAM complexity model, the following holds over any field K 
of characteristic p: 

• if p = or p is greater than 6f, one can answer question Pi using an expected 
0(?2C(5i)(n + log((5i))) base field operations; 

• if p = or p is greater than b\, one can answer question P2 using an expected 
0{nQ{b2){n + log((52))) base field operations. 

In a boolean RAM complexity model, the following holds over any finite field ¥q of charac- 
teristic p: 

• ifp is greater than Sf, one can answer question Pi using an expected 0(riCbooi(5i, q){n+ 
log((5i))) bit operations; 
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• ifp is greater than 62, one can answer question P2 using an expected 0(riCbooi('^2, (l){n+ 
log(52))) bit operations. 

Using the estimates of the previous paragraphs, the former costs are 0~{nHf'^'^^/^) and 
0~{n'^5^2^'^^^'^)-> a^^d the latter are n'^5\^^0~{\og{q)) and n'^5\'^^0~{\og{q)), for any e > 0. 
Since the input sizes are roughly proportional to 5i (resp. 82) field elements, this means that 
with respect to 5i (resp. ^2), we obtain a subquadratic running time in the algebraic model, 
and a quasi-linear running time in the boolean model. 

Before discussing further questions, we briefly comment on the assumption on the char- 
acteristic of K. We do need 2, . . . , 5i (resp. 2, . . . , ^2) to be invertible in K; otherwise, the 
algorithm will not work. The stronger requirement that 2, . . . , 5^ (resp. 2, . . . , 5|) are units 
allows us to find random elements in IK that are "lucky" with large probability; if this as- 
sumption does not hold, the algorithm may still succeed, but we lose the control on the 
expected running time. 

The basic idea of our algorithms is from [34j: we reduce everything to computations 
with univariate polynomials, since most operations above will be easy to deal with in the 
univariate case. To this end, we perform a change of representation between our input and 
a univariate representation, by using repeatedly modular composition and power projection. 

This raises the question of whether better algorithms may be possible, bypassing modular 
composition and power projection. The following theorem essentially proves that this is not 
the case, and that computing the equiprojectable decomposition is essentially equivalent to 
modular composition or power projection, at least for the choice of parameter m = 1. 

In what follows, let E : — )■ N be such that one can solve problem Pi above in E(n, 5i) 
base field operations (in an algebraic model), for triangular sets in n variables. Then, our 
second main result is the following. 

Theorem 2. Let T he a triangular set in n variables, with n G {1,2}, that generates a 
radical ideal. Then, we can compute modular compositions and power projections modulo 
(T) with parameters (l,n) and size 5f < 5t in time 2E(4,(5t) + 0~(5t)- 

In other words, if we are able to compute four-variate equiprojectable decompositions ef- 
ficiently, we can compute modular compositions and power projections efficiently for some 
small values of the parameters (which cover in particular the most useful case m = n = 1, 
that is, computing F{G) mod T, for univariate polynomials F,G,T). Note that an entirely 
similar result holds for the boolean model as well. 

Organization of the paper. Section[2]introduces most basic algorithms used in the paper: 
a reminder on modular composition and power projection for triangular sets in one or two 
variables, and conversions between univariate and triangular representations. Section [3] gives 
an algorithm to compute the so-called ^-decomposition of a zero-dimensional algebraic set V, 
that is, a decomposition according to the cardinalities of the fibers of a mapping : ^ — )■ K . 
We use this in Section |4] to prove Theorem [T] in that section, we also present experimental 
results obtained with a Maple implementation. Finally, Section [5] proves Theorem [2] 
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Previous work. Let us first review previous work for tlie questions we consider in tlie 
algebraic complexity model. 

For a triangular set T, some previous algorithms have costs of the form 0~(4"5t) for 
multiplication in Rt |i31j or 0~{K"'6t) for computing quasi-inverses in Rt [E], for K a 
large constant. For multiplication, some particular cases with a better cost are discussed 
in [H]. An algorithm for regularization, a similar question to quasi-inverse, is given in [2H1 
[25] : under a non-degeneracy assumption, its cost grows like ^2<i<n 2**^1 ' ' ' to 
polylogarithmic factors. In particular, all these algorithms involve an extra factor of the 
form K"'. 

For change of order, previous work includes [9] (which covers more general questions, 
e.g. in positive dimension), for which we are not aware of a complexity analysis. A close 
reference to our work is [53]: the results in that paper are restricted to the bivariate case, 
but use similar techniques; our algorithms are actually a generalization of those in [33] . 

It is worth discussing in some detail a natural approach to change of order, based on 
resultant computations. In the simplest case of bivariate systems, changing the order in a tri- 
angular set (Ti(Xi), T2(Xi, X2)) can be done by first computing the resultant res(Ti, T2, Xi), 
so as to eliminate Xi — this would of course be only the first step of the algorithm, since we 
would also have to deal with X2. Still, already this first step may be costly, since the best 
algorithm we are aware of takes time 0~{d\d2)-, which can be as large as 0~((5^). An exten- 
sion to triangular sets in more variables could be done along the lines of [281 129]; roughly 
speaking, it may induce costs similar to the one seen above for regularization. 

For the problem of computing the equiprojectable decomposition (or more generally, for 
our question Pi), we are not aware of previous complexity results. 

In the boolean model, relying on the results by Kedlaya and Umans mentioned above, 
we showed in [31] that it is possible to answer some of our questions in ■n?5}^'^0~{\og{q)) 
bit operations, for any fixed e > (note that exponential terms of the form K"' have 
disappeared). Those results addressed multiplication in i?T and some restricted forms of 
inversion and change of order, but did not consider any issues related to equiprojectable 
decomposition. 

2 Notations and known results 

In this section, we first recall a few results from the literature, and describe algorithms for 
bivariate modular composition and power projection (thereby proving the claim made in 
the introduction regarding the cost of these operations in an algebraic model). In a second 
subsection, we discuss the representation of zero-dimensional algebraic sets by means of 
univariate representations, and give some basic algorithms for this data structure. 

2.1 Basic algorithms 

In this subsection, we let A denote either K[Xi] or K[Xi, X2] and we consider a triangular set 

— — 2 

T in A; we write as usual R^ = A/ (T) and we let V be the zero-set of T, in either K or K . 
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We will describe a few useful algorithms for computing in i?x; most of them actually extend 
to A = K[Xi, . . . , but the costs would then involve an extra factor of the form K^, for 
some constant K. 

In all this subsection, we will assume that the characteristic of K is equal to or greater 
than (5x- 

Multiplication and transposed multiplication. Using univariate multiplication, we 
can do the following in 0(M(5t)) operations in K: 

• modular multiplication: given A,B & Rt, compute AB G -Rt 

• transposed multiplication: given a linear form i : Rt — )■ K and A G Rt, compute the 
linear form A-I-.Rt-^K defined by {A ■ i){B) = i{AB). 

See for instance [12] and [53] for a proof. 

Modular composition. In this paragraph, we discuss modular composition with param- 
eters (m,n), with m = 2: given F G K[yi,F2], with deg(F, Yi) < /i and deg(F, I2) < /2, 
and given Gi, G2 in Rt, this amounts to compute F{Gi, G2) G -Rt- For (m, n) = (1, 1), that 
is, with F univariate and T = (Ti) G ]K[Xi], the best-known algorithm is due to Brent and 
Kung fXU\. We present here a straightforward generalization, under the simplifying assump- 
tion that /1/2 < 6t- Note that solving this problem for m = 2 actually also solves it for 
m = 1, by taking /2 = 1. 

We let ei,e[ and 62,62 be positive integers such that 6i6[ > f\ and 6262 > f2 (to be 
specified below), and we decompose F into "rectangular slices" of the form 

F= J2 F,,,,{Y,,Y2)Yfi''Yf'\ 
n<£i,«2<£2 

with each Fi-^^^i^ in K[Yi, Y2] and satisfying degi^Fi^^i^, Yi) < 6'i and degi^Fi^^^i^, Y2) < 62- Then, 
we have 

ii<ei,i2<e2 
e' e' 

with </?ii,i2 = -^ji,j2(^i) G'2), 7i = G^^ and 72 = ^2^, all equalities being modulo (T). This 
gives the following algorithm: 

1. Compute all powers G{^G-!^ mod (T), for ji < 6[, j2 < 62, 71, as well as 72. This costs 
a total of 6^62 multiplications in i?T (one per monomial). 

2. We deduce all v^ii,j2 by linear algebra: given (^1,^2)5 V^n,j2 = -^ji,j2(^i5 ^2) niod (T) is 
obtained by doing the matrix- vector product M^Vi^^ij' where Mq is the matrix of size 
(5t X £W2) that contains the coefficients of all G{^G^2 mod (T) (in columns) and Vi-^^i^ 
is the column-vector of coefficients of Fi-^^i^; to do it for all (ii, 12), we end up doing one 
matrix product of size {6t x 6'i62) x (ei£2 x 6162). 
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3. We eventually get F{Gi,G2) mod (T) by using Horner's scheme twice: first, to com- 
pute 

= 5Z V^ii.^a^? mod (T),Zi < El, 

i2<£2 

this is done with £2 — 1 multiplications modulo (T). Then to compute 

F{G,,G2) mod (T)= ^ 

il<£l 

The total is 6162 — 1 multiplications modulo (T). 

In total, we do at most 6162 + e'ie2 multiplications modulo (T) and a matrix product of 
size (5t X ^1^2) X (^1^2 X ^1^2)- We take ei ~ e'l ~ fi^^'^ and £2 — ^'2 — I'l^'^i and we 
write ip = /i/2- Then, we end up with 0(v?^^^) multiplications modulo (T) and a matrix 
product of size (5t x (p^^"^) x (v^^^^ x (f^^'^). Since by assumption = 0{6t), the cost is 
0(M(5T)5i/' + 4"+'^/'), which is 0(4"+')/'). 

Power projection. Next, we present an algorithm to solve the power projection problem 
for parameters (m, n), with m = 2. Recall that power projection takes as input a linear form 
i G -R^' ^1 ^n*^ ^2 in -Rt, some bounds (/i,/2), and outputs the sequence {i{G^iG^2 ^od 
(T)))n</i,j2</2- 

For parameters {m,n) = (1, 1), the algorithm is due to Shoup [IQ] and an extension to 
n = 2 is due to Kaltofen |25]; these algorithms are dual to Brent-Kung's algorithm. As 
for modular composition, we present a straightforward generalization to m = 2, with the 
assumption /1/2 < 6^. The algorithm is obtained by simply transposing steps 2 and 3 of 
the modular composition algorithm (step 1 is kept as a preprocessing phase), so the cost 
estimate is therefore the same. 

e' e' 

Let £1, e'l, £2, £^2 be as above, and let again 71 = G^ mod (T) and 72 = G2 mod (T). For 
%\ < 61 and i2 < £2, let 

4.2 = (7^7?)-^, 

where the "dot" denotes transposed multiphcation. It follows that for ji < e[ and j2 < £2, 
we have 

4,,,(GfGf mod(T)) = £(7i^7^^Gf mod (T)) 

= i{Gf'^''Gf'^'' mod (T)). 

Thus, we compute all ii^^^i^i^Gl^G-!^ mod (T)), for ii < ei, 12 < £2, ji < £[ and j2 < ^2; 
this gives us the values we need. 

1. First, we compute all powers Gl^G-!^ mod (T), with ji < e[ and j2 < £2- This costs 
e[e'2 — 1 multiplications modulo (T). We need as well 71 and 72, for two extra multi- 
phcations. 

2. Then, we compute the linear forms ^j^^jj incrementally by iij^+i^i^ = 7i ■ ^11,12 and 
£j^,i2+i = 72 ■ £ii,i2', each of them takes one transposed multiplication. 
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3. We finally compute all fjj^jj (<^i^^2^ mod (T)) by computing the matrix product M^Mg, 
where Mq is the same {6t x £'1^2) matrix as in the modular composition case, and Ml 
is the {€162 X 6t) matrix giving the coefficients of the 

In total, we do eie2 + e[e'2 (transposed) multiplications modulo (T) and a matrix product 
of size (ei£2 x 6t) x {6t x e'ie'2). Let (p = /1/2. With ei ~ e[ ~ /i^^^ and £2 — ^2 — f2^^'^, 
we end up with 2^9^/^ (transposed) multiplications modulo (T) and a matrix product of size 
((/?i/2 X 5t) X (5t X </?i/2). Since if = 0{6t), the cost is 0{M{6t)S}^^ + ^Jf^^^^^), which is 
0(4"+^)/'). 

Together with the former algorithm for modular composition, this shows indeed that we 
can take C(d) in 0{d^^~^^^^'^), as claimed in the introduction. 

Trace and characteristic polynomial. For A G Rt, we let t(A) E K and xa £ 1K[X] 

be respectively the trace and characteristic polynomial of the multiplication-by-A endomor- 
phism of -Rt- We discuss brieffy how to compute these objects. 

The trace r : Rt — )■ K is actually a K-linear form. Using fast multiplication, it is possible 
to determine its values on the monomial basis i?T of Rt using 0(M(5t)) operations |33j . 

Since R^ is a reduced algebra, by [14i, Prop. 4.2.7] (sometimes called Stickelberger's 
Theorem), we have 

XA=ll^X-A{^)). (1) 

xey 

We can compute xa using power projection (this is well-known, see e.g. [35] for a presentation 
of this algorithm in a more general context). We start by computing the values of the trace r 
on the monomial basis Bt- By power projection, we can then compute the traces t{A^), for 
z = 0, . . . , 5t ~ 1; which are the power sums of xa- By our assumption on the characteristic 
of K, we can then use Newton iteration (for the exponential of a power series) to deduce the 
characteristic polynomial xa of A in time 0(M(5t)), see (TUl By our assumption that 
M{d)\og{d) = 0{C{d)), we deduce that the power projection is the dominant part of this 
algorithm, so the total cost is 0(C((5t))- 

Inverse modular composition. A second use of trace formulas is an inverse modular 
composition. Given A and B in Rt, we want to compute a polynomial U G K[X], if it 
exists, such that B = U{A) in R^- In [34J, following ideas from |39l [35], we recall an 
algorithm that computes a polynomial U in time 0{C{6t)), such that if B can indeed be 
written as a polynomial in A, then B = U{A)] note that the analysis uses the assumption 
that M{d)\og{d) is in 0{C{d)), and our assumption on the characteristic of K. Verifying 
whether B = U{A) can be done for another modular composition, so the total time is 
0(C(5t)). 

2.2 Univariate representations 

We next turn to questions related to the representation of zero-dimensional algebraic sets. 
We have already introduced triangular representations; in this subsection, we will discuss 
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univariate representations, which rely on the introduction of a hnear combination of all 
variables, and for which most of our questions are easy to solve. 

In all that follows, the degree deg(l^) of a zero-dimensional algebraic set V simply denotes 
its cardinality. 

Definition. Let ^ C K be a zero-dimensional algebraic set of degree 5, defined over K, 
and let / be its defining ideal. 

A univariate representation % = (P, U,yu) of V consists of a polynomial P G K[X], a 
sequence of polynomials U = {Ui, . . . , G K[X], with deg(t/j) < deg(P) for all i, as well 
as a linear form = fiiXi + ■ ■ ■ -|- /i„X„ with coefficients in K, such that 

: K[X]// ^ K[X]/{P) 

Xi,...,X„ ^ Ui,...,Un (2) 

/ilXi H h finXn ^ X 

is an isomorphism: this allows one to transfer most algebraic operations to the ring K.[X]/{P), 
where arithmetic is easy. In particular, the definition implies that P is squarefree, and that 
it is the characteristic polynomial of fi in K[X]/J. Thus, we have 

p= n(^-Mx)) 

and Xi = f/i(/i(x)) for all x = (xi, . . . , x„) in V and i < n. 

This kind of representation is familiar: up to a few differences, it is used for instance in 

[2Ql El ESI EH Eg. 

We will call a linear form fi = fiiXi + ■ ■ ■ + ^nXn a separating element for V if for 
all distinct x, x' in V, ;u(x) ^ yu(x'). One easily sees that yU is separating if and only if V 
admits a univariate representation of the form ^ = (P, U, /i), if and only if the characteristic 
polynomial P of /i in K[X]/J is squarefree. This characterization implies the following well- 
known lemma. 

Lemma 1. // the characteristic o/K is at least 6"^, and if fii, . . . , fin are chosen uniformly 
at random in & = {0, . . . ,6"^ — 1}, the probability that fi = fiiXi + ■ ■ ■ + finXn be a separating 
element for V is at least 1/2. The same remains true if fin is set to 1 and fii, . . . , fin-i o'^e 
chosen uniformly at random in &. 

Proof. The above characterization implies that fi is separating if and only if (/ii, . . . , 
does not cancel the polynomial A of degree 6{6 — l)/2 defined by 

A(Mi, . . . , M„) = Yl {Mi{xi -x[) + --- + Mn{Xn - O) . 

The Zippel-Schwartz lemma implies that there are at most 5^"/2 roots of A in and the 
first statement follows. To get the second one, observe that A is homogeneous, so we can 
set Mn = 1 without loss of generality; the second statement follows. □ 
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Useful algorithms. We conclude this section with a few algorithms for univariate repre- 
sentations. Most of what is here is standard, or at least folklore, although the complexity 
statements themselves may be new (e.g., one finds in [22] an equivalent of Lemma [2] below, 
but with a quadratic running time). 

Lemma 2. Given a univariate representation ^ = (P, U,yu) of an algebraic set V C K" 
defined over K, and a linear form v = viXi + ■ ■ ■ + z/„X„ with coefficients in K, one can 
decide whether v is a separating element for V , and if so compute the corresponding uni- 
variate representation Y = (Q, V, u), in time 0{nC{6)), with 6 = deg(V^), provided that the 
characteristic o/K is equal to or greater than 6. 

Proof. Let \E'<^ be as in Equation We first compute N = \E'^(z/) = z^if/i + ■ ■ ■ + i^nUn] 
this takes only 0{n6) operations. 

Next, we compute the characteristic polynomial Q of in K[X]/(P); as mentioned 
before, u is a separating element for V if and only if Q is squarefree. We have seen that 
computing Q takes time 0(C((5)); testing squarefreeness takes time 0{M{6) log(5)), which is 
by assumption 0{C{6)). 

When II is separating, we can use the algorithm for inverse modular composition, to find 
polynomials Vi, . . . ,Vn such that Ui = Vi{N) mod Q holds for all i; then, we have found 



y = {Q, (Vi, . . . , Vn), v). In view of the results recalled in Subsection 2.1 on inverse modular 



composition, the total time is 0{nC{5)). □ 

Lemma 3. Given univariate representations ^ = {P,\J,fi) and Y = (Q, V, z/) of two alge- 
braic sets ^ C IK and W <ZK. defined over K, one can compute univariate representations 
of either V UW orV — W in expected time 0{nC{6)), with 6 = deg(\^) + deg(W), provided 
that the characteristic of K is equal to or greater than 5^ . 

Proof. The following process is repeated until success. We pick a random linear form A = 
AiXi + ■ ■ ■ + A„X„ with coefficients in & = {0, . . . ,6^ — 1}, and apply the algorithm of 
Lemma|2]to (^, A) and (Y, A). The cost of this step is 0{nC{5)). In case of success, we let 

= (P',U',A) and Y' = (Q', V, A) be the resulting univariate representations of V and 
W; if either subroutine fails, we pick another A. 

At this stage, A is separating for both V and W. Now, we compute the polynomial 
S = gcd(P', Q'), as well as P" = P'/S and Q" = Q'/S. We also compute 

f/" = f/; mod P", Ti = U-modS, Wi = V- mod S, V-' = V- mod Q" 

for all i. Using fast GCD and fast Euclidean division, this can be done in time 0{M{6) log(5) + 
nM{S)), which is negligible compared to the cost of the first step. 

These polynomials will allow us to determine whether A is a separating element for 
V U W. This is the case if and only if for any common root a of P' and Q', the equalities 
U-{a) = V/{a) hold for all i < n, that is, if = Wi holds for all i. Doing this test takes time 
0{n6); if not all equalities hold, we pick another A. Note that if A is separating for V U W, 
it is separating for V — W. 
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Assuming A is a separating element for V U W, we obtain a univariate representation 
ior V U W by computing {P"SQ", {Ei, . . . , En), A), where Ei is obtained by applying the 
Chinese Remainder Theorem to {Ul' ,Ti,V-') and moduli {P", S,Q"), for all i. Computing 
these polynomials takes time 0{nM{6) log((5)), which is again 0{nC{6)). Similarly, we obtain 
a univariate representation for V — W as {P", {U'{, . . . , A). 

By Lemma [T| we expect to test 0(1) choices of A (precisely, at most 2) before finding a 
suitable one. As a consequence, the expected running time is 0{nC{5)). □ 

To conclude this section, we mention the following result about conversions between 
univariate and triangular representations. 

As a preliminary, remember that if ^ = (P, U, /i) is a univariate representation of an 
algebraic set V, there exists an isomorphism \E'f/ : K[X]//(V) — )■ ]K[X]/(P). If furthermore 
the defining ideal of V admits a triangular set of generators T for some variable order <, we 
also have K[X]//(V) ^ i?T- As a result, there exists change-of-basis isomorphisms 

■■ K[X]/(P) ^ Pt and ^T,'?/ : Pt ^ K[X]/(P), 

which will be useful in the sequel. 

Lemma 4. Let V C K" he an algebraic set of degree 5, defined over K, and let I C 
K[Xi,...,X„] he its defining ideal; suppose that the characteristic of K. is equal to or 
greater than 5"^ . Let finally < he an order on the variahles Xi, . . . , X„ and suppose that I is 
generated hy a triangular set T for the variahle order <. Then the following holds: 

• Given a univariate representation ^ = (P, U, /i) of V , one can compute the triangu- 
lar set T in expected time 0(n^C((5)). Given A in K[X]/(P), one can then compute 
^T,'i/iA) G Pt in time 0{nC{5)). 

• Given T, one can compute a univariate representation ^ = (P, U, fx) of V in expected 
time 0{n'^C{S)) . Given A in Pt, one can then compute \E'T.f/(^) £ time 
0{nC{5)). 

Proof. We will merely describe the main ideas, so as to highlight the roles of modular com- 
position and power projection. Details are given in [SU Section 5.3 and 6.3], together with 
worked-out examples (the complexity analysis there is given in the boolean model, but carries 
over to the algebraic model without difficulty). In both directions, we proceed one variable 
at a time. 

• In the first direction, we change (if needed) the linear form /i, so as to ensure that the 
coefficient of X„ in fi is equal to 1; this is done in expected time 0(nC(5)) by means 
of Lemmas [l] and [2] This mild condition is needed to apply the algorithm of [31] ; we 
still write the input = (P, U,/i). 

Then, we let /i' = ^[Xi + ■ ■ • + /i^_2X„_2 + X^-i be a random combination of 
Xi, . . . , Xn-i, with coefficients in {0, . . . , 5^ — 1}, whose coefficient in X„_i is 1. We 
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can then replace the single polynomial PniX) = P{X) by a bivariate triangular set 

Tn-l,n{X, Xn) 
Pn-l{X), 

where P„_i is the squarefree part of the characteristic polynomial of /i'lf/i + ■ ■ ■ + 
Ain-2^n-2 + Un-1 modulo Pn- As we go, wc also compute expressions of Ui, . . . , f/„_i as 
polynomials in /i', to allow the process to continue. In the second step, we introduce a 
triangular set 

'Pn—2. 
Pn^2{X) 

in three variables X, Xn-i, Xn, and so on until we obtain T. 

Using formulas from El], going from (P„) to {Pn-i,Tn-i^n) is done by means of 
power projections with parameters (1,1) and (2,1) and size S = deg(P„), as well as 
inverse modular compositions, all computed modulo (Pn)', the total time is 0(nC((5)). 
The change of basis K[X]/(P„) — t- K[X, X„]/(P„_i, T„_i^n) is done by means of a 
modular composition with parameters (1,2) and size 6 = deg(P„), computed modulo 
(P„_i,T„_i,„); it takes time 0(C(5)). 

The further steps are done in the same manner. For instance, going from (Pn-i, „) 
to {Pn-2,Tn_2,n-i,Tn-2,n) requircs first to compute (Pn-2, ^n-2,n-i), similarly to what 
we did in the first step. Then, we obtain T„_2,n by applying the change of basis 
K[X]/(P„_i) ^ K[X,X„]/(P„_2,T„_2,„-i) to all coefficients of T„_i,„. 

There are n such steps before we reach T; each takes an expected 0{nC{6)), so the 
total time is an expected 0(n^C(5)). 

Staring from A in K[X]/(P), we obtain its image in Pt by computing its represen- 
tations in ]K[X, Xn]/ {Pn-i,Tn-i,n) , and so on. Each conversion is done as above by 
means of modular compositions with parameters (1,2) and takes time 0{C{6)); the 
total number of operations is thus 0{nC{6)). 

• To compute a univariate representation starting from a triangular set T = (Ti, . . . , T„), 
we follow the same process backward. Starting from (T„,i, . . . , T„ „) = (Ti, . . . , T„), we 
first work with (T„^i,T„2), and find a univariate representation for these two polyno- 
mials; this gives us the triangular set in n — 1 variables (P„_i, T„_i^3, . . . ,Tn_i^„). We 
continue until we reach a single polynomial P„, which we will simply write P. 

The polynomial Pn-i{X) is the characteristic polynomial of a random combination of 
Xi, X2 with coefficients in {0, . . . , 5^ — 1}, computed modulo {Tn^i, Tn,2)] all other poly- 
nomials Tn-ij are obtained by applying the change-of-basis K[Xi, X2]/(T„ 1, T„ 2) — ^ 
K[X]/(P„_i).' 

This first step requires a power projection with parameters (1,2), as well as modular 
compositions with parameters (2, 1), and the cost is an expected 0{nC{6)). Since there 
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are n such steps, the total cost is then an expected 0(n^C((5)). The change-of-basis 
i?T 5C[X]/(P) is obtained similarly by means of modular compositions, and takes 
time 0{nC{5)). 

□ 

3 The ^-decomposition 

In this section, we define the notions of (j)-equiprojectable sets and (p- decomposition of a zero- 
dimensional algebraic set \^ C K , where is a mapping K — )■ K . We then give an 
algorithm to compute the 0- decomposition of V, by reducing again this problem to (mainly) 
modular composition and power projection. 

In what follows, we suppose that \^ is a zero-dimensional algebraic subset of K of 
cardinality 6, defined over K, and we let / C K[X] = ]K[Xi, . . . be its defining ideal. 
We make the assumption that the characteristic of K is equal to or greater than 6"^. 

We start with the definition of some counting functions. Let be a mapping 
given by polynomials with coefficients in K. For x in V, we let c{V, x, 0) be the cardinality of 
the set {x' G V, 0(x') = 0(x)}: this is the number of points x' in V such that 0(x') = 0(x). 
Then, we say that V is (p-equiprojectable if there exists a positive integer d such that for all 
X in V, c{V, X, (p) = d. 

In general, we should not expect V to be 0-equiprojectable. Then, we define 

^{V,^,r) = {^eV, c(\/,x,0)=r}; 

this is the set of all x G V with r points in their 0-fiber. Since V is finite, x i— )■ c{V, x, 0) 
takes only finitely many values on V, say ri < ■ ■ ■ < r^. As a consequence, the sets 

=^(V^,0,ri), =W0,^.) (3) 

form a partition of V; by construction, all these sets are 0-equiprojectable. We will write 

Dec(V,0) = {V;„...,V;j, 

and we will call this decomposition the (p- decomposition of V. Although it may not be clear 
from our definition, all are in fact defined over K. 

Lemma 5. With notation as in ^ , Vr^^, . . . ,Vr^ are defined over K. 

Proof. We are going to prove that for any r > 1, 

^'(\/, 0, r) = {x G V, c{V, X, 0) > r} 

is defined over K. Since ^(V, 0, r) = ^'{V, 0, r) — ^'{V, 0, r + 1), and since the set-theoretic 
difference of two zero- dimensional algebraic sets defined over K is still defined over K, this 
will be sufficient to establish our claim. 
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Fix r > 1, and let V^'^^ be the r-fold product V x ■ ■ ■ xV G K"'^; obviously, V^'^^ is defined 
over K. Let (xi, . . . , x^) be the coordinates on K , where each Xj has length n, and let 

^ _ Ui<,<,-<,A,,,-, 

where Ajj is defined by Xj = x^. Again, W^-'~'> is defined over K, and (xi, . . . is in W^"^^ 
if and only if all Xj are in V and pairwise distinct. Finally, we define 

= ni<,<,<, \/(0(x,) - 0(x,)); 

then, ^'(V, 0, r) is the projection of Z^'^^ on the first factor K"" , so it is indeed defined over 
K, as claimed. □ 

Before discussing an algorithm that computes Dec(V,0), we prove a simple lemma that 
will be used in the next section. 

Lemma 6. Consider two mappings : K — )■ K and -0 : K — )■ K , such that ip = f o <f), 
for some mapping f : K"' — )> K^, and suppose that V is (p-equiprojectable. Then any V in 
Dec{V,ilj) is both (p-equiprojectable and ip-equiprojectable. 

Proof. Let d be the common cardinality of the fibers of the restriction of to V. Let further 
V be in Dec{V, ip), and let x be in V . We will show that c{V' , x, 0) = d, thereby establishing 
that V is 0-equiprojectable (V' is V'-equiprojectable by construction). 

Remember that c(\^', x, 0) is the cardinality of the fiber F' = {x' G V',(f){x') = 0(x)}. 
We claim that we actually have F' = F, with F = {x' G V,(f){x.') = 0(x)}. Since by 
assumption \F\ = d, proving F = F' is sufficient to prove that c(y,x, 0) = d. 

Of course, F' is a subset of F. Conversely, let x' be in F. Then, 0(x) = 0(x') and 
our assumption on and t/j implies that ■0(x) = This implies that x' is in V, as 

claimed. □ 

We now explain how to compute Dec(V^, 4>). For simplicity, we will assume that m < n, 
and that is a simple linear map (the algorithm would not be substantially different in 
general, but a few extra terms could appear in the cost analysis) . 

Proposition 1. Consider an algebraic set V C K" defined over K and of degree S, and a 
univariate representation = {P,\J,/j) of V , and let Dec(V, 0) = {V^^, . . . , V^^}. Suppose 
that the following conditions are satisfied: 

• the characteristic ofK is equal to or greater than S'^, 

• (f) is a linear map K" — >■ K"^ , of the form 0(xi, . . . , Xn) — {xi, . . . , Xm)- 

Then we can compute univariate representations {Pk, Ufc,//.)i<fc<s o/ K-^, . . . , K-^ in expected 
time 0{C{S){n + log{S))). 

The rest of this section is devoted to prove this proposition. In what follows, we write 
W = (f){V) and, for all k < s, Wr^ = ^CKJ- We also write U = (C/i, . . . , C/„), with all 
Ui in K[X]. Since for all x = {xi, . . . ,Xn) in V we have Xi — Ui{fj,{x)), we deduce that 
0(x) = ([/i(/x(x)), . . . , t/^(/x(x))) for X in V. 
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Step 1. Choose a random linear form v = viYi + - ■ ■ + z/ml^ with coefficients in {0, . . . , 5^ — 
1}, compute = viUi + ■ ■ ■ + I'mUm, and compute the characteristic polynomial xn of 
in K[X]/ (P). Computing takes time 0{n6) and computing its characteristic polynomial 
takes time 0{C{S)), see Subsection 2.1[ 

The linear form u must be a separating element for W. To verify if this is the case, 
we check whether Ui, . . . , Um can be written as polynomials in N modulo P. This is done 
using the algorithm for inverse modular composition, and takes time 0(mC(5)), which is 
0{nC{5)). Due to our assumption on the characteristic of K, we need to test an expected 
0(1) choices of u before finding a separating element, see Lemma [Tj 

Remark that for x in V , N{fi{-x)) = z/i[/i(/i(x)) + ■ ■ ■ + z/m^7m(/^(x)) = z/(0(x)). 



Step 2. Compute the squarefree decomposition of xn] this takes times 0{M{S)\og{S)), 
see \18\ Chapter 14]. Using the previous notation, we claim this decomposition has the form 

XN = Cl^---C:% with C,= l[{X-u{y)). 

Indeed, by Stickelberger's Theorem, we have the factorization 

XN = nxey(^-A^(Mx))) 

For y G W, let r(y) be the cardinality of the fiber 0^^(y) fl V. Then we obtain the 
factorization 

XN = UyewiX - HyW^''^ 

since by construction the projections Wr^. are pairwise disjoint. As z/ is separating for W, 
the linear factors X — z/(y) are pairwise distinct, which proves our claim. 

For future use, note that J2i<s deg(Cj) < 6, since xn = Ci^ ■ ■ ■ Cg" has degree S. 

Step 3. For k < s, compute Pk = gcd{Ck{N), P). We will prove at the end of the section 
that this can be done in time 0(C(5) log(5)). That proof will be somewhat lengthy; for the 
moment, we will only prove that for < s, we have 

Pk= U (^-Mx)). (4) 

Both sides are squarefree (since they divide P), so to prove our claim it is enough to prove 
that the roots of Pk are exactly the values /u(x) for x in Vr,.. As a preliminary remark, recall 
that for all x in V, we have i/(0(x)) = N{^{x)). 

• For X = (xi, . . . ,Xn) in Vr^, 0(x) is in Wr,, so z/(0(x)) is a root of Ck- By the remark 
above, this shows that /i(x) is a root of Ck{N). But of course /i(x) is also a root of P, 
so ;u(x) is a root of Pk- 
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• Conversely, consider a root a of P^. Since any root of is a root of P, a is of the 
form /i(x) for some x in V. But by assumption a = /^(x) is also a root of Ck{N), which 
means that i/(0(x)) is a root of Ck- In particular, z/((/)(x)) is a root of no other Ck', 
because these polynomials are pairwise coprime. This implies that 0(x) belongs to no 
other Wry , so it must belong to Wr,. ; thus, x is in Vr^. . 

Note also that we have P = Pi • ■ ■ P^, all P^ being pairwise coprime. 

Step 4. For k < s and j < n, compute Ukj = Uj mod Pk- This can be done in time 
0(nM(5) log(5)) using fast multiple reduction [TH Chapter 10], which is 0{nC{6)). Writing 
Ufc = (f/fc,i5 • • • 5 Uk,n), Eq- Q shows that for k < s, (Pk, U^, /i) is a univariate representation 
of K-fe5 so we are done. 

Analysis of Step 3. Summing all the costs mentioned above gives the cost estimate 
claimed in Proposition [1} All that is missing is to prove that, as announced, the cost of 
computing the polynomials Pk of Step 3 is 0(C(5) log(5)). 

Recall that for all k < s, Pk = gcd(Cfc(A), P). We cannot compute the polynomials 
Ck{N), or even Ck{N) mod P, as there are too many of them: one easily sees that s could 
be as large as \/S; each polynomial Ck{N) mod P requires to store 6 field elements, so 
computing all of them would take time at least 6^'^. 

Therefore, we compute the Pk directly, using divide-and-conquer techniques. Given poly- 
nomials A,Q & IK[A], we will write 



so that the polynomials we want to compute are Pi = T{Ci, P), . . . , P^ = T{Cs, P). 

Assuming we know A mod Q, Definition ^ shows that we can compute T{A,Q) by 
computing first A{N mod Q) mod Q, then taking its CCD with Q. Since by assumption 
M{d) log{d) is 0{C{d)), we can thus obtain T{A, Q) in time 0{C{d)) by modular composition 
and fast CCD, with d = max(deg(y4), deg(Q)); we will call this the plain algorithm. In 
particular, we could compute any Pk in time 0{C{6)). However, as we mentioned above, 
computing all Pk directly in this manner incurs a cost of the form sC{S), which is too much 
for our purposes. 

The key equality we will use is the following: for any polynomials A,B, we have 



r{A,Q) 



gcd(A(A), Q) 

gcd(A(A mod Q) mod Q, Q) 



(5) 
(6) 



r(AQ) = r(Ar(AP,Q)). 



(7) 



Indeed, using Definition (|5]), the left-hand side reads 



r(A,Q)=gcd(A(A), Q), 



whereas the right-hand side is 



r(A,r(AP,g)) =gcd(A(A), gcd((AP)(A), q))- 
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equality ^ follows from the fact that gcd(Fi,G') = gcd(Fi, gcd(FiF2, G)) holds for all 
polynomials Fi, F2, C 

We are now ready to explain how to complete Step 3. To simplify our presentation, we 
will assume that s is a power of two, of the form s = 2^; when this is not the case, we can 
complete Ci, . . . , by dummy polynomials = 1, so as to replace s by the next power of 
two, without affecting the asymptotic running time. 

Step 3.1. We compute the subproduct tree (see details below) associated to Ci,...,Cs- 
From [iBl Chapter 10], this can be done in time 0(M(5) log(5)), since we have seen that 
^ .^^ deg(Cj) < 6. Using our assumption on M and C, this is in 0(C(5)). 

At the top level of the subproduct tree, the root is labelled by Kq i = Ci ■ ■ ■ C^; its two 
children are labelled by Ki i = Ci - ■ ■ and K12 = C^+i ■ ■ ■ Cs with v = s/2, and so on. 
For j = 0, . . . ,w, the polynomials the jth level are written Kj^i, with i = 1, . . . ,2\ so that 
Kj^i = Kj^i^2i-iKj+i^2i- At the leaves, for j = w, we have K^^i = Ci. 

In what follows, we are going to compute all polynomials T{Kj^i, P), for j = 0, . . . ,w and 
i = 1, . . . , 2-^, in a top-down manner. At the leaves, for j = w, we will obtain the polynomials 
T{Kw^i,P) = T{Ci,P) = Pi we are looking for. 

Step 3.2. We compute 

7o,i = r(iro,i,p) 

using the plain algorithm, in time 0(C(5)), as well as Nq^i = N mod 70,1 in time 0{M{6)), 
by fast Euclidean division. The latter cost is negligible. 

Step 3. 3. For j = 0, . . . , w— 1 and i = 1, . . . ,2^ , assuming we know •jj^i and Nj^i = N mod 7j,j, 
we compute 

7j+i,2j-i = r(JC,+i,2i-i,7j,i) and 7j+i,2j = r(Kj+i,2i, 7j,i) 

followed by 

Nj+i^2i-i = Nj^i mod 7i+i,2i-i and A^j+i,2i = Nj^i mod 7i+i,2i- 

Our claim is twofold: first, we will prove that 7j^j = r{Kji,P) for all second, we will 
establish that the total running time is 0{C{6) log(5)). Note that this is enough to finish the 
proof of Proposition [l| since we have seen that for j = w, we have T{Kw^i, P) = Pi. 

The proof that 7j,j = V{Kj^i,P) is done by induction on j. By definition, this is true for 
7o,i; for j > 1, this follows from Equation ([T]), first taking A = Kj+i^2i-i, B = Kj+i^2i and 
Q = P, then A = Kj+i^2i, B = Kj^i^2i-i and Q = P. Since 7j+i,2i-i and 7j+i,2i divide 7^,^, 
we can also prove by induction that Nj^i = N mod 7j^j holds for all j, i. 

It remains to do the cost analysis. Since Nj^i = N mod 7^^, is known, we can indeed 
compute 7j+i^2i-i and 7j+i,2i from Kj+i^2i-i, -f^i+i,2i and •jj^i by the plain algorithm in time 
0{C{dj^i)), where we write 

dj^i = max(deg(i^j+i,2i-i), deg{Kj+i^2i), deg(7j,i)) < max(deg(i^'j-i), deg(7j- j)). 
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The computation of Nj+i^2i-i and iVj+i^2j can be done in time 0(M(deg(7j^i))), which is 
neghgible by assumption. Hence, the total cost is, up to a constant factor, 

J2 C(max(deg(K^-i), deg{-fj,i))). 

j=0,...,w-li=l,...,2i 

This admits the obvious upper bound 

J2 E C(deg(X,,))+ Yl E C(deg(7,,)). 

j=0,...,w-l i=l,...,2i j=0,...,w-l 1=1,.. .,2i 

Using the super-linearity of C, we obtain the upper bound 

J] c( J] deg(i^,,))+ E c( E deg(7,,) 

To conclude the cost analysis, we will prove the inequalities 

Y'^^z{Kj,i) < 8 and ^^^§(7^,0 < ^■ 

These inequalities imply a cost upper bound of the form X]j=o w-i ^(^)) ^ constant 

factor. The claim on the total cost follows, since w is in 0(log(5)). 

• The first inequality 'Yl,i<2j deg(-ft'j,i) < 5 is a straightforward consequence of the equal- 
ity X]i<2J deg(i^j,i) = X]i<s deg(Ci), which itself follows from the definition of the 
subproduct tree, and the fact that Ylii<s deg(C'i) < 5. 

• To obtain the second inequality X]j<2j deg(7j^j) < 5, we start by proving that for fixed 
J, and for i ^ i' i and 7^^^' are coprime. Indeed, we have seen that 

7,, = gcd(ir,,(iV),P), 

where Kj^i has the form Kj^i = Yle&n i Here, set of indices which we will 

not need to make explicit; however, for further use, we note that for i ^ i', Kj,i and 
disjoint. The factorization of Kj^i implies that 

7,,=gcd(n ^^(^),^)- 

Recall now that the polynomials Pe — gcd{Ce{N), P) are pairwise coprime; as a result, 
the former equality gives 

7,,= n gcd(c,(iv),p)= n p^- 

Since for fixed j the sets Kj,i are pairwise disjoint, and since the polynomials P^ arc pair- 
wise coprime, we deduce that for fixed j, the polynomials 7j^j themselves are pairwise 
coprime, as claimed. 

Since by construction all 7j,i divide P, the product nj<2j 

7j,i must divide P as weU, 

and the inequality 'Ylii<2i deg(7j,i) < 5 follows. 
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4 Proof of Theorem |T] 



In this section, we prove Theorem [T} We start by defining equiprojectable sets and the 
equiprojectable decomposition. The algorithms underlying Theorem [T] are then straightfor- 
ward applications of the results of the previous section. 

4.1 The equiprojectable decomposition 

Let V C K" be a zero- dimensional algebraic set defined over K. We suppose that we are 
given an order < on the variables; up to renaming them, we can suppose that the order is 
simply Xi < ■ ■ ■ < X„. For 1 < i < n, we define the projection 

TTi : K" ^ T 

X = (Xi, . . . , Xn) >■ (Xi, . . . , Xi). 

Then, we say that V is equiprojectable if it is vTj-equiprojectable for i = 1, . . . , n; in other 
words, V is equiprojectable if all fibers of tti on V have a common cardinality 6i, all fibers 
of 7i2 on V have a common cardinality 62, etc. 

In general, we should not expect V to be equiprojectable. There are potentially many 
ways to decompose V into equiprojectable sets; the equiprojectable decomposition will be a 
canonical partition of V into pairwise disjoint equiprojectable sets, that will all be defined 
over K. 

We will actually define a sequence Dec(V, i, <), for z = n, . . . , 1, which will all be partitions 
of V, refining one another. At index n, we write Dec{V,n, <) = {V}. Then, for i < n, 
assuming that we have defined 

Dec{V,i + l,<) = {Vi+i,i,...,Vi+i,s,^,}, 

we obtain Dec(V, i, <) by computing the vTj-decomposition of every element in Dec(V, <): 

Dec(V,i,<) = Ufe<^^^^Dec(Vi+i,fc,7ri), 

which we rewrite as 

Dec(\/,^,<) = {\/,,i,...,\/,,,J. 

An easy decreasing induction proves that for i = l,...,n and k < Si, every Vi^k is Hj- 
equiprojectable for j = i, . . . , n: 

• For i = n, Dec{V,n, <) is simply {V}, which is 7r„-equiprojectable (since tt^ is the 
identity) . 

• For i < n, assuming that the claim holds for Dec(V, <), we prove it for Dec{V, i, <). 
To do so, it is enough to take Vi+i± in DeciV, i + 1,<) and prove that every V in 
DeciVi+i^k, TTi) is TTj-equiprojectable, for j = i, . . . , n. 

Obviously, V is vTj-equiprojectable. Besides, since by the induction assumption V^+i^fc is 
VTj-equiprojectable for j = . . . ,n, Lemma[6]implies that V is also vrj-equiprojectable 
ioT i = i + 1, . . . ,n. 
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Taking i = 1, Dec(V^, 1, <) is the equiprojectable decomposition of V; we will actually denote 
it by Deciy, <). Dropping the subscript i, we will write 

Dec{V,<) = {Vu...,Vs}. 

This is thus a decomposition of V into pairwise disjoint equiprojectable sets Vj. 

Aubry and Valibouze proved in [3] that an algebraic set is equiprojectable if and only 
if its defining ideal is generated by a triangular set. Besides, by Lemma |5| each Vj is 
defined over K; thus, its defining ideal is generated by a triangular set T^-'^ in K[X]. As 
said in the introduction, we will write ^{V, <) to denote the collection of the triangular sets 
{T*^^\ . . . ,T'^*)}. In ideal-theoretic terms, the ideals (T^-'^) are thus pairwise coprime, and 
their intersection is the defining ideal I of V, so that K[X]// ^ RtW x • ■ • x Rrj,(s). 

The following proposition gives a cost estimate on the computation of the equiprojectable 
decomposition, using a univariate representation as input. 

Proposition 2. Let V C K" be a zero- dimensional algebraic set defined overK, of degree 5. 
If the characteristic o/K is equal to or greater than 6"^, given a univariate representation 
^ ofV, we can compute ^{V, <) = {T^^\ . . . ,T^^^ in expected time 0{nC{S){n + log{5))). 
Besides, the following change of bases can be done in time 0{nC{6j): 

• given A in K[X]/ (P) , compute its images {Ai, . . . , As) in -Rx(i) x ■ ■ ■ x 

• given [Ai, . . . , Ag) in -Rx(i) x ■ ■ ■ x -Rt(s); compute their preimage A in 1K[X]/ (P). 

Proof. Let us write as before Dec{V, <) = {Vi, . . . , V^^}. The algorithm to compute ^(V, <) 
proceeds in two steps: first, we compute univariate representations of all Vj; secondly, we 
convert them into triangular sets. As we go, we also explain how to perform the change of 
basis from A to {Ai, . . . , Ag), and back. 

Step 1. Recall the definition of the sequence Dec(y,i, <): we have Dec(V,n, <) = {V} 
and starting from 

Dec(\/,z + l,<) = 

we set 

Dec{V,i,<) = Ufe<s,+iDec(\/i+i,fc,7ri). 

The first step of the algorithm follows the same loop, and computes univariate representations 
of all Vi^k- We set = , and for i = n — 1, . . . , 1, we let '^i^i, . . . , '^i,Si be the univariate 
representations obtained by applying the algorithm of Proposition [l]to "^i+i^i, . . . , '^i,Si+i and 
TTj. If denotes the degree of V^+i^fc, applying the algorithm of Proposition [T] to '^i+i^k 

and TTj takes an expected time 

0{C{5i+i^k){n + log(5,+i,fc))). 
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Using the super-linearity of C, and the fact that + ■ — h Si+i^si+i = ^, the time spent at 
index i is seen to be an expected 0{C{6){n + log(5))). Summing over all i, the total time is 
an expected 

0{nC{5)in + \og{5))). 

Let P be the characteristic polynomial of ^ , and let Pi, ... , Pg^ be those of '^1,1, . . . , ^i^si- 
Since the separating elements of ^ and ^1,1, . . . , are the same, we have P = Pi . . . P^^. 
The change of basis K[X]/(P) K[X]/(Pi) x • • • x K[X]/(P,,) is done by multiple reduc- 
tion, and the inverse conversion is done using the Chinese Remainder Theorem. Using the 
results of [HI Chapter 10], both conversions take time 0(M((5) log(5)), which is 0{C{6)). 

Step 2. Starting from '^i^i, . . . ,'^i,si, we now compute the corresponding triangular sets 
T^^^ . . . , T*^*). This is done by applying Lemma |4| which shows that we can compute each 
triangular set T'^-'^ in expected time 0{n'^C{5j)), where 5j is the degree of Vj. Summing over 
all j and using the super-linearity of the function C gives a total expected time of 0{n^C{6)). 
Using the notation of Subsection |2.2[ the conversion 

K[X]/(Pi) X • • ■ X K[X]/(P,,) ^ Pt(i) X ■ ■ ■ X Pt(=) 

and its inverse are done by applying 

('^T(i),f/i,i' • • • ' ^tM,^2^^^^J and (*T(i),f/i,i) • • • ) ^T(''i),f/i,,J- 
By Lemma |4| and using the super-linearity of C, each conversion takes time 0{nC(5)). □ 

4.2 Solving question Pi 

We can now show how to solve question Pi stated in the introduction. Given triangular sets 
T^^\ . . . , T*^^) and S'-^-', . . . , S*^*^-* for an order <, and a target order <', we want to compute 
^(V,<'), with 

V = v^(t(^)) u ■ ■ ■ u v(tW) - \/(s«) v(s(")). 

We let S be the sum of the degrees of T^^\ . . . , T*^^^ and 8^""^^ . . . , S'-'"-* and we make the 
assumption that the characteristic of K is equal to or greater than 5^. 

Our strategy is to reduce to univariate representations, perform the set theoretic opera- 
tions on univariate polynomials, and finally compute the equiprojectable decomposition for 
the new order. 

Step 1. We compute univariate representations ^i, . . . and . . . , of respectively 
y(T(^)), . . . , 1/(TW) and V{S^^^), . . . , ^(S^'')). By Lemma g this can be done in expected 
time 

0{n\C{6i) + ■■■ + C(5,) + C{6[) + ■■■ + C(5:))), 

where Si is the degree of T(^) and 6'^ is the degree of S(^). Using the super-linearity of C, this 
is seen to be an expected 0(n^C(5)). 
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Step 2. We compute univariate representations ^ of Vi^^^^') U ■ ■ ■ U V^(T*^^)) and 'Y of 
y(S(^)) U ■ ■ ■ U l^(S('^)). The following divide-and -conquer process takes an expected time 
0(nC(5) log(5)) to achieve this task. 

We apply repeatedly the union algorithm of Lemma|3]to '^i, . . . , respectively Yi, . . . 
To compute say we let = |"^/2] , and we compute recursively univariate representations 
of 

\/(T(^)) U ■ ■ ■ U l^(T(^')) and V{T^^'+^^) U ■ ■ ■ UV{T^% 

then, these two univariate representations are merged by means of Lemma [3j The running 
time analysis is the same as in the proof of Proposition [TJ the divide-and-conquer structure 
of the algorithm induces the loss of a logarithmic factor, as is the case for other algorithms 
with the same structure [HI Chapter 10]. 

Step 3. By another application of Lemma [3] to ^ and Y , this time for computing a set- 
theoretic difference, we finally obtain a univariate representation W of V . This takes an 
expected time 0{nC{5)). 

Step 4. Starting from W ^ we compute ^(V, <') using the algorithm of Proposition [2] This 
takes an expected time 0{nC{5){n + log(5))). 

The total cost of this algorithm is an expected 0{nC{5){n + log(5))), as claimed in 
Theorem [H 

4.3 Solving question P2 

Next, we show how to solve question P2 stated in the introduction. Given a triangular set 
T in K[Xi, . . . for a variable order <, as well as F in i?x and a target variable order 

<', we are to compute the equiprojectable decompositions 

&{y{T)r}V{F),<') and &{y{T) -V{F),<'), 

as well as the inverse of F modulo each T' in S^iViT) — V{F), <'). We let 5 be the degrees of 
T and we make the assumption that the characteristic of K is equal to or greater than 5^. 

Our strategy is similar to the one of the previous subsection: we convert to a univariate 
representation, operate with univariate polynomials, and convert back to triangular repre- 
sentations. 

Step 1. We compute a univariate representation = (P, U,yu) of V^(T) and F* = 
\1't,"?/(P)- By Lemma |4| this can be done in expected time 0{n'^C{6)). 

Step 2. We compute P' = gcd{P,F*) and P" = P/P', as well as the inverse G* of F* 
modulo P" (this inverse exists, since P is squarefree). This takes time 0(M(5) log(5)), which 
is 0(C((5)). 

The roots of P' describe the points of ^(T) where F vanishes; the roots of P" describe 
those where F is nonzero. 
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step 3. Writing U = (t/i, ...,[/„), we compute f// = Ui mod P' and = Ui mod P" for 
all i, and we define ^' = (P', ([/(, ...,?/;,), /i) and = (P", (f/f , . . . , t/;'), yu)- This takes 
time 0{nM{6)), which is negligible compared to the cost of Step 1. 

Note that is a univariate representation of ^(T) fl V{F), and that is a univariate 
representation of ^(T) — V{F). 



Step 4. Starting from and we compute the equiprojectable decompositions ^{V{T)r] 
V{F), <') and ^{V{T) — V{F), <') using the algorithm of Proposition [2] This takes an ex- 
pected time 0{nC{S){n + log(5))). Besides, using the second part of Proposition |2| we can 
compute the image of G* in each Rt', for T' in ^{V{T) — V{F), <'). This image is the 
inverse of F in Pt'- 

As for question P2, the total cost of this algorithm is an expected 0{nC{6){n + log(5))), 
as claimed in Theorem [U 



4.4 Experimental results 

This section reports on experimental results obtained with a Maple implementation of the 



algorithms of Subsection 4.2 and 4.3 



Our implementation supports inputs with coefficients in finite fields of the form Fp, p 
prime. This is the most natural choice, since over base fields such as Q or rational function 
fields, the cost of arithmetic operations in the base field cannot be assumed to be constant. 
For inputs defined over e.g. Q, the natural approach would be to use modular methods, using 
for instance lifting techniques (for which the equiprojectable decomposition is particularly 
well suited, as we pointed out in the introduction) . 

Over base fields such as Fp, we have two choices for modular composition and power 



projection: algorithms following Brent and Kung's idea, as described in Section 2J^, or the 
extension of the Kedlaya-Umans algorithm given in [34]. Unfortunately, even though the 
latter is asymptotically better, the large constants hidden in the 0~ notation make it inferior 
for the range of degrees we consider. Thus, our implementation relies on the Brent-Kung 
approach. 

Other than modular composition and power projection, our algorithms use only uni- 
variate and bivariate polynomial arithmetic. As a result, they were implemented using the 
modpl functions, which provide fast implementations of arithmetic operations in Fp[X], for 
p a word-size prime. 

The following timings are obtained using Maple 15 on an 2.8 GHz AMD Athlon II X2 
240e processor. The base field is Fp, with p = 962592769. All timings are in seconds, and 
all computations were interrupted whenever they used 2Gb of RAM or more. 

Our first experiments concern the particular case of question Pi, where the input and 
the target order are the same, and r = 0. In other words, we take as input some triangular 
sets T^^\ . . . , T*^^) for an order <, and we compute the equiprojectable decomposition of 

V(T«)U---U V(TW), 
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Table 1: Timings for equiprojectable decomposition 



n 


d 


6 


us 


Maple 


n 


d 


6 


us 


Maple 


3 


2 


4 


0.03 


0.03 


4 


2 


5 


0.06 


0.05 


3 


3 


10 


0.07 


0.12 


4 


3 


15 


0.2 


0.4 


3 


4 


20 


0.12 


0.52 


4 


4 


35 


0.3 


2.1 


3 


5 


35 


0.22 


1.6 


4 


5 


70 


0.8 


8.4 


3 


6 


56 


0.44 


4.2 


4 


6 


126 


1.9 


40 


n 


d 


6 


us 


Maple 


n 


d 


6 


us 


Maple 


5 


2 


6 


0.09 


0.08 


6 


2 


7 


0.15 


0.13 


5 


3 


21 


0.37 


0.96 


6 


3 


28 


0.5 


2.1 


5 


4 


56 


0.81 


6.5 


6 


4 


84 


1.8 


19 


5 


5 


126 


2.4 


45 


6 


5 


210 


8.2 


300 


5 


6 


252 


9.5 


512 


6 


6 


462 


49 


5885 



for the same order. In Table[T| we shows comparisons with the function EquiprojectableDe- 
composition of the RegularChains library [27], which has similar specifications (we are not 
aware of other implementations of such an algorithm). 

In each sub-table, the number n of variables is fixed; we show timings for the equipro- 
jectable decompositions of sets of points of cardinality 6; the column d gives an upper bound 
on all di that appear as main degrees in the triangular sets in the output. In almost all cases, 
our implementation does better than the built-in function; the fact that we are relying on 
the modpl functions is certainly a key factor for this. 

Our second experiments address inverse computation modulo a triangular set, which is 
a particular case of question P2: the input and the target order are the same, and (by 
construction of our examples), no splitting occurred. In other words, we take as input a 
triangular set T and F G Rt, invertible in i?T; we output the inverse of F in i?x- 

In Table [2| we give examples for various situations: n denotes the number of variables 
and d is such that the input triangular set has multidegree {d, . . . ,d), of length n; thus, its 
degree 6 is d"". 

We show comparisons with the function Inverse of the RegularChains library. This 
function may induce splittings; if we wanted the same output as in our implementation, we 
would also have to perform a recombination after the call to Inverse (we did not include 
this step in the timings). As in the previous example, our code usually does better. 

We also include timings obtained by using the C modpn library j30|, which can be called 
from a Maple session. Obviously, we expect this compiled library to be much faster than our 
interpreted code; however, timings are sometimes within a factor of 10 or less, which we see 
as a sign that our implementation performs well. Note that modpn relies on FFT techniques, 
as a result, only those finite fields ¥p with suitable roots of unity are supported (the field ¥p 
in our examples is one of them). 
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Table 2: Timings for inversion in Rt 
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5 


us 


Inverse 


modpn 
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0.01 
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16 
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0.01 


3 


3 


27 


0.06 


1.4 


0.01 


4 


3 


81 


0.2 


4.8 


0.06 


3 


4 


64 


0.14 


5.2 


0.02 


4 


4 


256 


1 


600 


0.1 


3 


5 
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0.24 


6.1 


0.05 


4 


5 


625 


5.3 


10536 


0.8 


3 


6 


216 


0.75 


21 


0.06 


4 


6 


1296 


23 


> 2 Gb 


1.2 
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5 


us 


Inverse 


modpn 
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Inverse 
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32 


0.14 


210 


0.03 
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64 


0.3 


> 2 Gb 


0.1 


5 


3 


243 
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1576 


0.42 


6 


3 


729 


8.8 


> 2 Gb 


4.6 


5 


4 


1024 


1.5 


> 2 Gb 


1.2 


6 


4 


4096 


273 


> 2 Gb 


18 


5 


5 


3125 


151 


> 2 Gb 


24 


6 


5 


15625 


5099 


> 2 Gb 


661 


5 


6 


7776 


1007 


> 2 Gb 


37 


6 


6 


46656 


67339 


> 2 Gb 


1135 



5 The converse reduction 

This section is mostly independent from the other ones. In the previous sections, we used 
modular composition and power projection as our basic subroutines, and reduced other 
questions to these two operations. In this section, we will do the opposite, by reducing 
modular composition and power projection to equiprojectable decomposition. 

As mentioned in the introduction, modular composition and power projection are dual 
problems. An algorithmic theorem called the transposition principle shows that an algorithm 
for the former can be transformed into an algorithm for the latter, and conversely [UlITj: this 
result could in principle allow us to deal only with e.g. modular composition. However, it 
applies only in a restricted computational model (using linear programs), which is not suited 
to questions such as decompositions of triangular sets (which are inherently non-linear). As 
a result, we give explicit reductions for both modular composition and power projection. 

In the introduction, we defined E : — )■ N as a function such that one can solve problem 
Pi (computing the equiprojectable decomposition of a family of triangular sets in n variables, 
with sum of degrees 5) using E(n, 5) base field operations. 

Recall then the statement of Theorem [2] we take {m,n) = (1, 1) or {m,n) = (1,2), and 
we let T be a triangular set in n variables that generates a radical ideal. Then, we can 
compute modular compositions and power projections modulo (T) with parameters (m, n) 
and size Sf < 6t in time 2E(4, 6t) + ^"(^t). 

The two subsections address respectively modular composition and power projection. In 
both cases, we can assume that n = 2, since any triangular set in one variable (that is, any 
polynomial Ti{Xi)) can be seen as a triangular set in two variables, by adding a dummy 
polynomial T2{Xi, X2) = X2. Note that the proofs would generalize to computations in 
more than two variables, and would involve terms of the form E(n + 2, 6t)- 
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5.1 Modular composition 

Following the previous discussion let thus T = (Ti, T2) be a triangular set in K[Xi, X2], G in 
i?T, and F in ]K[y], of degree deg(F) < ^t- We show here how to compute K — F{G) e i?T, 
using change of order as our main subroutine. 

Consider the triangular set (for the order Xi < X2 < Y) 



r 



y-G(Xi,X2) 

T2(Xi,X2) 

Ti(Xi); 



let C K" be its zero-set. and let us compute ^(V, <'), where <' is the order Y <' Xi <' X2. 
We obtain a family of triangular sets \J^^\ . . . , \J^^^ of the form 



a,2(r,Xi,X2) 

Ri{Y). 



Let now J be the ideal generated by the polynomials (which do not form a triangular set, 
since the first polynomial is not reduced) 

Z - F{Y) 
Y-G{X^,X2) 

T2{XuX2) 

UX-i). 

After reduction, we see that / is generated by the triangular set (for the order Xi < X2 < 
Y <Z) 

■ Z-K{X^,X2) 

Y-G{X,,X2) 

T2(Xi,X2) 

Ti(Xi), 

where K is the polynomial we want to compute. On the other hand, the construction of the 
triangular sets U^*^ shows that / is the intersection of the ideals generated by the triangular 
sets V(^) (for the order Y <' X^ <' X2 <' Z) given by 



Z - F,{Y) 
U,,2{Y,X,,X2] 

Ri{Y), 



with Fi — F mod Ri. The algorithm is then the following: 

• First, we compute all triangular sets U^*). Since T' generates a radical ideal, this can 
be done in E(3, 6t) < E(4, St) base field operations (obviously, E(n, 5) < E(n', S) holds 
for all n < n', as can be seen by using n' — n dummy polynomials to obtain a triangular 
set in n' variables). 
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• Next, we compute all triangular sets V*^*-'. This requires us to compute all Fj. Since 
deg(F) < 6t, and since the sum of the degrees of the Ri is at most St as well, all Fi can 
be computed in time 0(M(5t) log(5T)) using fast multiple reduction JW, Chapter 10]. 

• Finally, we compute T", and thus K, by computing the equiprojectable decomposition 
of V(V^^^) U • ■ ■ U y(V(^)), for the order Xi < X2 <Y < Z. Again, this takes time 
E(4,5t). 

The total time is at most 2E(4, S^) + 0(M((5t) log(5T))5 which fits into the claimed bound. 
5.2 Power projection 

We will now prove the second part of Theorem [2| dealing with power projection. Let thus 
T = (Ti,T2) be a triangular set in ]K[Xi,X2] that generates a radical ideal, let G be in R^, 
and let i : Rt — > K be a K-linear form. Given an integer / < St, we show here how to 
compute the values i{G'^), for < c < /. We start with a folklore lemma involving univariate 
computations only. 

Univariate computations. Let A be a ring, F a monic polynomial of degree d in A[X], 
and R the free A-module A[X]/{F), with the (classes of) 1, X, . . . , X'^~^ as a basis. In 
this context, the trace r : i? — )■ A is still well-defined, with t{A) being the trace of the 
multiplication map by A in R. For A & R and i an A-linear form i? — )■ A, the A-linear form 
A-£is defined as before, by {A ■ i){B) = i{AB). 

Lemma 7. Suppose that the derivative dF/dX of F is invertible in R, with inverse G. 
Given G, and given an A-linear form i : R A, we can compute A in R such that i = A-t, 
using 0{M{d)) operations in A. 

Proof. Let us define another useful A-linear form, the residue p : i? — )■ A, by p(X*) = 
for i < d — 1 and p{X'^~^) = 1. Given i as above, it is known that there exists B such 
that i = B ■ p. Indeed, a straightforward computation shows that the values {B ■ p)(X*), 
for i = 0, . . . ,d — 1, are the coefficients of rev(i?, d — l)/rev(F, d) mod X'^, where for any 
polynomial P G A[X] and any d > deg(P), we write rev(P, d) = X'^P{1/X). This implies 
that given i, we can find the requested B by means of a power series multiplication modulo 
X'^, which can be done in M{d) operations in A. 

Furthermore, the Euler formula pTl Proposition 2.4] shows that r = dF/dX ■ p, so that 
p = G - T. With i and B as above, this implies that we have i = A-t, with A = BG mod F. 
Computing A thus takes another 0{M{d)) operations in A, proving the lemma. □ 

Bivariate computations. We will now apply the results of the former paragraph in a 
bivariate context. The notation is the one introduced at the beginning of this subsection; 
furthermore, we let tr : Rt — t- K be the trace linear form. We also write di = deg(Ti,Xi) 
and d2 = deg(T2,X2), so that St = did2. 
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Lemma 8. Given a K-linear form i : i?T one can compute an element A G -Rt such 

that £ = A- ti in time 0{M{di)M{d2) log(di) \og{d2)). 

Proof. Let us define = K[Xi]/(Ti), so that we have i?T = St:[X2]/{T2). Let further 
Ti : — i" K and T2 : -Rt — >" 'S't be the trace forms; thus, Ti is K-linear, T2 is S'l-hnear, and 
we have tr = ri o r2. 

First, we are going to factor £ : Rt — ?■ K as £ = ti o L, where L : Rt — )■ S't is a suitable 
S'x-hnear form. Computing L amounts to compute Xi^ = L{X2^), for 12 = 0, . . . ,d2 — 1; the 
condition defining L is equivalent to i{Xl^X2^) = ri(L(X{^X2^)), for zi = 0, . . . , cii — 1 and 
i2 = 0, . . . ,d2 — I. This can be rewritten as i{Xl^Xl^) = Ti^Xl^Xi^), by Sx-linearity of L. 
For a fixed ^2 < d2, let be the K-linear form S't — K defined by £i2{A) = i{AX2^). Then, 
the previous condition says that ii^ = Xi^ ■ ti. 

Computing the linear forms ii^ is free (since their values on the canonical basis of S't are 
simply values of i); then, finding Ajj is done by first inverting T[ modulo Ti, and applying 
Lemma[7]for the extension S't — > K. The total time to computing all Xi^ is thus 0((log(c/i) + 

d2)M{d,)). 

Now that we have written £ = ri o L, we will apply Lemma [7] to L, for the extension 
Rt — )■ S't- This requires us to invert dT2/dX2 in Rt] a quasi- linear time algorithm is given 
in [1], with a cost 0(M((ii)M((i2) log((ii) log((i2)). Once this is done. Lemma [T] gives us an 
element A e Rt such that L = A ■ T2 in time 0{M{di)M{d2)). 

To summarize, we have written i = ti o L and L = A ■ T2, so that i{B) = ti{t2{AB)) 
holds for all B G -Rt- Since ti o T2 = tr, this implies that i = A ■ ti. □ 

Transposed multiple reduction. Our next ingredient is an algorithm for the following 
operation. Consider some pairwise coprime monic polynomials Ri, . . . , Rn in K[X], and let 
R = Ri • • • Rn- 

We have already mentioned the multiple reduction map 1K[X]/ (-R) — )■ lK[X]/{Ri) x • • • x 
K[X]/ (-Rat); writing d = deg(-R), this operation can be done in time 0{M{d) \og{d)). In this 
paragraph, we will discuss the dual map. On input linear forms ii : K[X]/(-Rj) — )■ K, this 
dual map computes the linear form i : K[X]/ (R) defined by 

A t-^ '^ii{A mod Ri), 

i<N 

where all ii and i are given by means of their values on the monomials bases of the respective 
K[X]/ (-Rj) and K[X]/ (-R). In other words, it computes the values 

^£i(X^ mod Ri), 

i<N 

for j = 0, . . . ,d — 1. In 0, an algorithm called TSimulMod is given that solves this problem 
in time 0{M{d) log{d)). Computing the above values up to index e, for some e> d, can then 
be done in time 0(M(e)), see for instance [7j. 
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Conclusion. Let us return to the proof of Theorem |2| On input T = (Ti,T2), G E Rt 
and i : Rt K, we will show how to compute the values i{G'^), for < c < 6t- Using the 
algorithm of Lemma [8} we can compute A E Rt such the values we want are of the form 
tr(AG"), for < c < 6t. 

Let us introduce the triangular set (for the order Xi < X2 < Y < Z) 



Z-GiXi,X2) 
Y-AiXi,X2) 

T2{X^,X2) 

Ti(Xi), 



and let its equiprojectable decomposition for the order Z <' Y <' Xi <' X2 be given by 
triangular sets 

■ U,,2iZ,Y,X^,X2) 
U,^^{Z,Y,X^) 
S^{Z,Y) 
R,{Z), 



l<i< N. 



For i < N, let Tj : Ru(i) — K be the trace modulo U'-*''. Since Rt and Rt' are isomorphic 
K-algebras, the traces in Rt and Rt' coincide. Since (T') is the intersection of the pairwise 
coprime ideals (U*^*-'), it follows (for instance from Stickelberger's Theorem) that for any 
index c, we have 



i<N 



For i < N, let ii be the linear form K[Z]/{Ri) K defined by £i{B) = Ti{YB). Then, one 
sees that Ti{YZ^) = ii{Z'^), so that we have 



tT{AG')=Y,^^iZ')■ 



(8) 



i<N 



Using this remark, we can now give the whole algorithm and its running time. 



First, we compute A E Rt such that 
0(M(rfi)M(rf2)log(rfi)log(4)). 



A ■ tr. By Lemma [Sl this can be done in time 



Next, we compute the triangular sets U^'\ i = 1, . . . , N. This takes time E(4, 5t)- 
The following step consists of computing the linear forms Tj (by means of their values 



on the canonical bases of the residue class rings Rjjii)). We have seen in Subsection |2.1 



that we can compute each of those in time 0{M{6jj(i))), so the total time is 0(M(5t)) 
by the super- linearity of M. 

Knowing the linear forms r^, we can deduce ii by first computing all Y ■ ti (for a total 
time of 0(M(5t)) again), from which the values of ii on the basis of K[Z]/ {R.j) can be 
read off. 



32 



• Finally, we obtain tr(AG"^), for c = 0, . . . , (5t — 1, using Eq. ^ and the algorithm for 
transposed multiple reduction; this takes time 0(M(5t) log(5T))- 

Taking a quasi-linear M, and summing all previous costs, the claim in Theorem |2] follows. 
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